Testing DNS beacon in a lab without getting/buying a domain
Assuming you already have an Active Directory lab with domain setup you can use that to setup a custom domain which will exist only inside a lab. We'll use it for testing a DNS beacon in Cobalt Strike. Domain Controller needs to be setup as DNS server for all computers in the lab. This can be usually done with firewall setup such as pfSense. If you are looking to get started, I recommend looking at Guide To Pentesting course by DemmSec and the Building Your Own Super Duper Home Lab SANS webcast.
To setup a custom domain we need to create a DNS zone. This is done in the DNS manager:
Right clicking the Forward lookup zones, we add a new zone. Let's call it BEACON.LAN since that will be our TLD existing only in our lab. That should be primary zone which will be resolved at DC. We keep other settings the default. This should look like this:
Now it's time to test, using dig command we can verify our domain name is set.
This means our authoritative nameserver is correctly resolving. Let's test it now in Cobalt Strike with DNS beacon. Under listeners we create the windows/beacon_dns/reverse_http listener and we set our domains for both staging and beaconing process.
We then create executable, move it on target and launch it.
... and we got our C2 going. I was using the executable with DNS for DNS TXT staging which takes a bit longer to stage than the HTTP alternative but it's entirely over DNS. HTTP staging also works. Staging process looks like that:
That's it for my first post and constructive feedback is always welcome.
Cheers, Franci
PS: More info on exploiting Active Directory-Integrated DNS by Kevin Robertson
To setup a custom domain we need to create a DNS zone. This is done in the DNS manager:
Right clicking the Forward lookup zones, we add a new zone. Let's call it BEACON.LAN since that will be our TLD existing only in our lab. That should be primary zone which will be resolved at DC. We keep other settings the default. This should look like this:
Next, we create a host pointing to our team server. Let's use the parent domain (right click, New Host). We also create two delegation (right click, New Delegation) which will delegate subdomains to our team server (the authoritative nameserver for those subdomains). Choose the parent domain as the FQDN for nameservers. Those will be used for the beaconing process. You should get results similar to this:
Now it's time to test, using dig command we can verify our domain name is set.
root@unicorn:~# dig +short NS beacon.lan dc01.skynet.local. root@unicorn:~# dig +short NS profiles.beacon.lan beacon.lan. root@unicorn:~# dig +short NS news.beacon.lan beacon.lan. root@unicorn:~# dig +short A beacon.lan 192.168.1.102
This means our authoritative nameserver is correctly resolving. Let's test it now in Cobalt Strike with DNS beacon. Under listeners we create the windows/beacon_dns/reverse_http listener and we set our domains for both staging and beaconing process.
We then create executable, move it on target and launch it.
That's it for my first post and constructive feedback is always welcome.
Cheers, Franci
PS: More info on exploiting Active Directory-Integrated DNS by Kevin Robertson
Komentarji
Objavite komentar